[Openswan Users] 2 minute dropout
Jon Wilson
jon at phuq.co.uk
Thu Oct 21 22:41:30 CEST 2004
I've got a persistant problem with a connection from on user on our
l2tpd/iipsec VPN.
The remote user is running WinXP Pro with the NAT-T patch, and can
connect fine from his home ISP, dial-up, etc. When tries to connect from
our new branch office he gets connected fine, but consistantly kicked
off after about two minutes. Any ideas?
The local end is Linux Openswan U2.1.4/K2.6.6 (native) (native)
The logs say this:
Oct 20 22:19:41 fermat pluto[1154]: "L2TP-RSA-remote"[378]
$(REMOTE_IP):17224 #1649: IPsec SA established {ESP=>0x834db7f8 <0x7e2b114e}
Oct 20 22:22:01 fermat pluto[1154]: | NAT-T: new mapping
$(REMOTE_IP):17224/17271)
Oct 20 22:22:01 fermat pluto[1154]: "L2TP-RSA-remote"[378]
$(REMOTE_IP):17271 #1649: ERROR: netlink response for Add SA
esp.7e2b114e at 217.207.240.35 included errno 22: Invalid argument
Oct 20 22:22:01 fermat pluto[1154]: "L2TP-RSA-remote"[378]
$(REMOTE_IP):17271 #1648: received Delete SA(0x834db7f8) payload:
deleting IPSEC State #1649
I do not have control over the network at the branch office, as it is a
leased services office. There is at least one level of NAT there,
possibly more.
local ipsec.conf fragment:
# VPN for remote hosts
conn L2TP-RSA-remote
keylife=8.0h
authby=rsasig
pfs=no
# local end
left=(LOCAL_IP_ADDRESS)
leftprotoport=17/1701
leftcert=/etc/ipsec.d/certs/fermat.cert
leftsendcert=always
# The remote end
right=%any
rightrsasigkey=%cert
rightca=%same
rightprotoport=17/1701
rightsubnet=vhost:%no,%all
auto=add
keyingtries=1
rekey=no
More information about the Users
mailing list